From: Greg Kroah-Hartman Date: Thu, 30 Apr 2026 09:36:46 +0000 (+0200) Subject: drop 6.1 xen patches that are already in a release X-Git-Tag: v6.12.86~94 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5f1cc1b140cd69eb09d8ab7de07154c57ee41852;p=thirdparty%2Fkernel%2Fstable-queue.git drop 6.1 xen patches that are already in a release --- diff --git a/queue-6.1/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch b/queue-6.1/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch deleted file mode 100644 index 399ce8324d..0000000000 --- a/queue-6.1/buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 08108583b86912f181ef8282630c68f2248de146 Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Fri, 27 Mar 2026 14:13:38 +0100 -Subject: Buffer overflow in drivers/xen/sys-hypervisor.c - -From: Juergen Gross - -commit 27fdbab4221b375de54bf91919798d88520c6e28 upstream. - -The build id returned by HYPERVISOR_xen_version(XENVER_build_id) is -neither NUL terminated nor a string. - -The first causes a buffer overflow as sprintf in buildid_show will -read and copy till it finds a NUL. - -00000000 f4 91 51 f4 dd 38 9e 9d 65 47 52 eb 10 71 db 50 |..Q..8..eGR..q.P| -00000010 b9 a8 01 42 6f 2e 32 |...Bo.2| -00000017 - -So use a memcpy instead of sprintf to have the correct value: - -00000000 f4 91 51 f4 dd 00 9e 9d 65 47 52 eb 10 71 db 50 |..Q.....eGR..q.P| -00000010 b9 a8 01 42 |...B| -00000014 - -(the above have a hack to embed a zero inside and check it's -returned correctly). - -This is XSA-485 / CVE-2026-31786 - -Fixes: 84b7625728ea ("xen: add sysfs node for hypervisor build id") -Signed-off-by: Frediano Ziglio -Reviewed-by: Juergen Gross -Signed-off-by: Juergen Gross -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/sys-hypervisor.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - ---- a/drivers/xen/sys-hypervisor.c -+++ b/drivers/xen/sys-hypervisor.c -@@ -363,6 +363,8 @@ static ssize_t buildid_show(struct hyp_s - ret = sprintf(buffer, ""); - return ret; - } -+ if (ret > PAGE_SIZE) -+ return -ENOSPC; - - buildid = kmalloc(sizeof(*buildid) + ret, GFP_KERNEL); - if (!buildid) -@@ -370,8 +372,10 @@ static ssize_t buildid_show(struct hyp_s - - buildid->len = ret; - ret = HYPERVISOR_xen_version(XENVER_build_id, buildid); -- if (ret > 0) -- ret = sprintf(buffer, "%s", buildid->buf); -+ if (ret > 0) { -+ /* Build id is binary, not a string. */ -+ memcpy(buffer, buildid->buf, ret); -+ } - kfree(buildid); - - return ret; diff --git a/queue-6.1/series b/queue-6.1/series index 4e6bf49e24..96517edd3b 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -177,5 +177,3 @@ regset-use-kvzalloc-for-regset_get_alloc.patch device-property-make-modifications-of-fwnode-flags-thread-safe.patch ocfs2-split-transactions-in-dio-completion-to-avoid-credit-exhaustion.patch driver-core-don-t-let-a-device-probe-until-it-s-read.patch -buffer-overflow-in-drivers-xen-sys-hypervisor.c.patch -xen-privcmd-fix-double-free-via-vma-splitting.patch diff --git a/queue-6.1/xen-privcmd-fix-double-free-via-vma-splitting.patch b/queue-6.1/xen-privcmd-fix-double-free-via-vma-splitting.patch deleted file mode 100644 index 28aa98b6c9..0000000000 --- a/queue-6.1/xen-privcmd-fix-double-free-via-vma-splitting.patch +++ /dev/null @@ -1,62 +0,0 @@ -From 1931e8c58bdab67fc8bcdf6543aa4946a359218a Mon Sep 17 00:00:00 2001 -From: Juergen Gross -Date: Fri, 10 Apr 2026 09:20:04 +0200 -Subject: xen/privcmd: fix double free via VMA splitting - -From: Juergen Gross - -commit 24daca4fc07f3ff8cd0e3f629cd982187f48436a upstream. - -privcmd_vm_ops defines .close (privcmd_close), but neither .may_split -nor .open. When userspace does a partial munmap() on a privcmd mapping, -the kernel splits the VMA via __split_vma(). Since may_split is NULL, -the split is allowed. vm_area_dup() copies vm_private_data (a pages -array allocated in alloc_empty_pages()) into the new VMA without any -fixup, because there is no .open callback. - -Both VMAs now point to the same pages array. When the unmapped portion -is closed, privcmd_close() calls: - - xen_unmap_domain_gfn_range() - - xen_free_unpopulated_pages() - - kvfree(pages) - -The surviving VMA still holds the dangling pointer. When it is later -destroyed, the same sequence runs again, which leads to a double free. - -Fix this issue by adding a .may_split callback denying the VMA split. - -This is XSA-487 / CVE-2026-31787 - -Fixes: d71f513985c2 ("xen: privcmd: support autotranslated physmap guests.") -Reported-by: Atharva Vartak -Suggested-by: Atharva Vartak -Signed-off-by: Juergen Gross -Reviewed-by: Jan Beulich -Signed-off-by: Greg Kroah-Hartman ---- - drivers/xen/privcmd.c | 7 +++++++ - 1 file changed, 7 insertions(+) - ---- a/drivers/xen/privcmd.c -+++ b/drivers/xen/privcmd.c -@@ -934,6 +934,12 @@ static void privcmd_close(struct vm_area - kvfree(pages); - } - -+static int privcmd_may_split(struct vm_area_struct *area, unsigned long addr) -+{ -+ /* Forbid splitting, avoids double free via privcmd_close(). */ -+ return -EINVAL; -+} -+ - static vm_fault_t privcmd_fault(struct vm_fault *vmf) - { - printk(KERN_DEBUG "privcmd_fault: vma=%p %lx-%lx, pgoff=%lx, uv=%p\n", -@@ -945,6 +951,7 @@ static vm_fault_t privcmd_fault(struct v - - static const struct vm_operations_struct privcmd_vm_ops = { - .close = privcmd_close, -+ .may_split = privcmd_may_split, - .fault = privcmd_fault - }; -